I have been at several conferences recently on how Data Protection law is developing, and they’ve left me less than optimistic. By the end of 2015 Europe will have been working for four years on a Regulation ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’, but I’m now doubting whether the result will actually achieve either of those.
The draft law was originally promoted as modernised, cloud-friendly and providing a single law across the whole European Union. However, it seems to be failing on all three counts:
· The draft texts acknowledge the internet only by declaring that ‘internet identifiers’ constitute personal data, but show no recognition of the consequences of that; all still regard the physical location of data as paramount.
· They still assume that a data processor has the same access to information as the data controller (a model based on ‘computer bureaux’ of the 1970s), indeed some versions would place additional responsibility on data processors (even, apparently Infrastructure as a Service providers) to ensure appropriate security or allow direct law enforcement access to data without notifying the processor.
· They retain the same options that have allowed divergent national approaches under the current Directive, for example on export formalities; in many areas where Member States have been unable to reach agreement on the Regulation text the preferred solution appears to be to allow each to implement their own preference.
Alongside these developments, the courts have been adopting literal interpretations of the current Directive – giving the law the widest possible scope and making exemptions as narrow as possible – apparently relying on legislators to fix the resulting impracticalities. For example: following Lindqvist, anyone who posts information about another person to a public website is classed as a data controller, with all the duties the law imposes (in the UK any data controller who does not register with the Information Commissioner is committing a criminal offence!); following Ryneš any CCTV that covers any public space must display a notice, which will be tricky for dashboard and cycle helmet cams. We’re all data controllers now!
This hasn’t been widely noticed (at least not till the recent Google Spain case) because regulators have been highly selective in which parts of the law they are actually enforcing. Probably the last thing the UK Information Commissioner wants is for every social network user in the UK to turn up with a Data Controller registration form and a cheque! David Erdos gathered startling survey results showing just how widely regulators’ interpretation of what the law said about various online activities (tweeting, blogging, etc.) differed from the enforcement measures they were actually taking. Cookie law is far from the only example. Estimates of the resources available to regulators across Europe (typically a few pence per data subject per year) help to explain why.
But at the same time expectations have been raised unrealistically high by slogans such as the ‘right to be forgotten’ (in two different contexts) and suggestions that data protection law can prevent spying: actually it can’t, it doesn’t even try, and the new legislation that might bring law enforcement activities roughly into line with the 1995 Directive seems to be taking even longer than the Regulation.
None of this helps organisations that want to provide services that protect users’ rights. At one time we could use the law itself as guidance, and aiming for compliance was a reasonable course. However, with judgments such as Google Spain not even attempting to base their arguments in statute and more than a thousand differences between proposed texts of the Data Protection Regulation, it’s really hard to work out what the law now is. Guidance from regulators such as our own Information Commissioner may be a better option, though this may not answer specific questions and is liable to change more often than the twenty-year cycle of formal law. The eight data protection principles remain a sound basis that is unlikely to change, but at the level of detail that the EU Regulation is attempting organisations may need to balance the benefits of a particular course of action against the risk that it may not be perfectly compliant.
For a privacy-conscious person that’s scary, because it means the organisations most likely to be processing my personal data are the ones that are willing to take risks. If uncertainty about data protection law means that the organisations that would protect my privacy aren’t even willing to offer me services, that would be the worst possible result.
Andrew Cormack is Chief Regulatory Adviser at Jisc Technologies